Asia-Pacific Roundup: TGA asks drugmakers to mitigate cybersecurity weakness amid ‘active malicious exploitation’

Australia’s Therapeutic Goods Administration (TGA) has asked drugmakers and other stakeholders to detect and mitigate a cybersecurity vulnerability. TGA made the request after learning of “widespread and active malicious exploitation” of the critical vulnerability in an open-source logging library.
 
Developers across multiple industries use Apache's Log4j to track activity in their software applications and online services. The log serves as a journal of activity that developers can use to identify problems for users. Rather than create logging code from scratch, many developers use the open-source Log4j to create a record of activity in their software.
 
TGA has taken an interest in Log4j because of Log4shell, a critical vulnerability that it thinks may pose risks relating to the unavailability or compromise of medical devices, data privacy, quality management systems and supply chains. In light of those risks, the agency is asking manufacturers to assess whether they are affected by the vulnerability, evaluate their risks and implement mitigations as needed.
 
“Manufacturers should review and take appropriate action for their websites, applications, data storage systems, digital interfaces and controls/processes (including for manufacturing and production systems). This is important to prevent unauthorized access to data or unauthorized changes to systems and controls relevant to manufacturing, quality management systems or production of therapeutic goods,” the agency wrote in guidance on the vulnerability.
 
TGA has set out seven steps that cover the minimum steps it wants manufacturers of therapeutic goods to take. The seven steps cover the immediate application of the latest patches, the implementation of appropriate detection and mitigation measures and the reporting of any adverse events or information related to exploitations of the vulnerability to TGA.
 
The agency has provided another set of mitigations for end users and is strongly encouraging patients and healthcare professionals to report problems with medical devices. Hologic, Siemens Healthineers and Varian are among the medtech companies with products affected by the vulnerability.
 
TGA Notice
 
TGA, after hitting its 2021 goals, identifies opportunities to improve its performance
 
TGA has identified areas for improvement across six key performance indicators (KPIs). The agency sees scope to improve despite a self-assessment finding it met its goals for each of the KPIs in the 2020-2021 financial year.
 
As part of the Australian government’s effort to reduce the impact of inefficient regulation on business, TGA tracks its performance against six KPIs. The KPIs include “regulators do not unnecessarily impede the efficient operation of regulated entities” and “actions undertaken by regulators are proportionate to the regulatory risk being managed.” TGA met all the KPIs in its most recent self-assessment.
 
Even so, at the request of TGA, the external validators of performance against the KPIs suggested ways to improve. The response to COVID-19 is a theme that runs through several of the suggested changes.
 
“While processing times for some non-COVID-19 related medical device applications were slightly longer than the comparable period in previous years due to the diversion of resources to COVID-19 activities, these were all still completed within legislative timeframes. We are continuing to examine learnings from our COVID-19 response and transfer these, wherever possible, into our regular business,” TGA wrote.
 
The agency also noted that COVID-19 disrupted business processes, including the way it consulted with industry, resulting in “some inconsistencies” in how it works. TGA plans to use the experience to inform business and process improvement.
 
TGA Report
 
Philippine FDA seeks feedback on categorization of ‘borderline’ health products
 
The Philippine Food and Drug Administration (FDA) is seeking feedback on the reclassification of health products that sit on the borderlines between categories such as drug and medical device.
 
FDA has provided an illustrative list of “borderline products” that it plans to update twice a year. The draft also features definitions of the different categories of products regulated by FDA to help determine how the agency will regulate borderline health goods. Market authorization applicants and holders make the initial determination, but FDA will reject applications for incorrectly classified products.
 
Borderline products that are already on the market and need reclassifying will be subject to a transition period. FDA will recognize the existing market authorizations for the remainder of their validity or extend them for one year from when the guidance takes effect. The provision means the holders of market authorizations will have at least one year to reclassify their products. After the transition period, FDA will disapprove any applications for product registration that are filed incorrectly.
 
The draft is open for comment until 21 January.
 
Draft Guidance
 
Pakistani regulator posts draft guidelines on good pharmacovigilance practices
 
The Drug Regulatory Authority of Pakistan (DRAP) has released draft good pharmacovigilance practice (GVP) guidelines for consultation. The text draws on guidelines used overseas, with some sections copied verbatim from the documents adopted by the European Medicines Agency (EMA).
 
In Europe, guidance on GVPs is spread across more than 12 modules. DRAP has condensed multiple EMA documents into a single, 63-page draft that covers the advice on pharmacovigilance systems found in Module I, the risk-minimization measures from Module XVI, the requirements on the use of therapeutic goods during pregnancy found in a population-specific text and more.
 
While structured differently than the EMA guideline, the DRAP draft makes many of the same points. The texts share a definition of a pharmacovigilance system and DRAP has also followed EMA’s approach on subjects such as the training of personnel for pharmacovigilance and the requirements for facilities and equipment involved in the activities.
 
The window for commenting on the draft is set to close on 15 January.
 
Draft Guidelines
 
India proposes delaying requirement for use of unique device identifiers
 
The Indian government has proposed updating the Medical Device Rules, 2017 to delay the mandated use of unique identifiers. Under the old rules, unique device identifiers (UDIs) were supposed to become a requirement on 1 January 2022.
 
Days before that deadline, the Indian government proposed a change to the rules. The proposed text reads: “With effect from the date as may be specified by Central Government, a medical device, approved for manufacture for sale or distribution or import, shall bear unique device identification in the manner as may be determined.”
 
The proposal effectively indefinitely delays the application of the UDI requirement. While UDIs are still part of the Medical Device Rules, there is no longer a target date for their implementation under the proposed text.
 
Draft Rules
 
Other News:
 
Malaysia’s National Pharmaceutical Regulatory Agency (NPRA) has told users of Avast software to move to a different antivirus provider after the company blocked access to its QUEST3+ domain. The software detects phishing on the domain, preventing users from accessing the product registration and licensing system. As the issue is limited to Avast, NPRA is asking users to change antivirus software. NPRA notice
 
TGA has published its 2021 stakeholder survey report. The findings of the survey of people working in the medical products industry are in line with the results of last year’s report. As in 2020, TGA found the lowest levels of agreement with the statements that it listens to feedback, is collaborative and genuinely considers the input and clearly explains the outcomes of consultations. TGA Report
 
TGA is seeking feedback on its database of listed medicine compliance review results. TGA Notice